VPN Tunnel wont come up for Cisco ASA 5505 1

[chunalt787]

I am somewhat of a newbie at this stuff but I am trying to set up a site to site vpn using two Cisco ASA 5505's. I went through the wizard on the ADSM but I can't seem to get the tunnel to come up. I have it set up as follows:

Comp #1 --- cat5 --- (inside)ASA #1(outside) --- cat5 --- (outside)ASA #2(inside) --- cat5 --- Comp #2

IP addresses:
Comp 1: 134.133.56.101
ASA 1 Inside: 134.131.56.251
ASA 1 Outside: 209.165.200.226
ASA 2 Outside: 209.165.200.236
ASA 2 Inside: 134.133.57.252
Comp 2: 134.133.57.102
Note: theses are static and will not be hooked up to the internet at any time. IP addresses were arbitrarily chosen.

Comp 1 can ping ASA 1
ASA 1 can ping ASA 2(inside only)
ASA 2 can ping ASA 1(inside and outside)
Comp 2 can ping ASA 2

I just tried the crossover and that didn't seem to do any thing. I have been messing with ASA 1 too much so ASA 2 actually has the config that is closer to being right. I have posted that down below. If you have any questions please ask. Any help is greatly appreciated.

CONFIG FOR ASA 2:

: Saved
:
ASA Version 8.0(4)
!
hostname ciscoasb
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 134.133.56.0 inside-network2
!
interface Vlan1
nameif inside
security-level 100
ip address 134.133.57.252 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 209.165.200.236 255.255.255.0
!
interface Vlan5
no forward interface Vlan1
nameif dmz
security-level 50
ip address dhcp
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list outside_1_cryptomap extended permit ip 134.133.57.0 255.255.255.0 inside-network2 255.255.255.0
access-list inside_nat0_outbound extended permit ip 134.133.57.0 255.255.255.0 inside-network2 255.255.255.0
access-list outside_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 0 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 134.133.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 209.165.200.226
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable dmz
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group 209.165.200.226 type ipsec-l2l
tunnel-group 209.165.200.226 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ddfe8555ed8e621f9981d66890e80365
: end
asdm image disk0:/asdm-613.bin
asdm location inside-network2 255.255.255.0 inside
no asdm history enable

 

[unclerico]

post the output from show crypto isakmp sa and show crypto ipsec sa from both devices.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[chunalt787]

FROM ASA 1:
Result of the command: "show crypto isakmp"

There are no isakmp sas

Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 7
In Octets: 11120
In Packets: 47
In Drop Packets: 10
In Notifys: 20
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 9240
Out Packets: 38
Out Drop Packets: 7
Out Notifys: 0
Out P2 Exchanges: 7
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 9
Initiator Fails: 2
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0


Result of the command: "show crypto ipsec sa"

There are no ipsec sas

________________________________________________________
FROM ASA 2:
Result of the command: "show crypto isakmp"

There are no isakmp sas

Global IKE Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0

Global IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0


Result of the command: "show crypto ipsec sa"

There are no ipsec sas

 

[unclerico]

next thing to do is to run a debug on both sides:
- debug crypto isakmp

post the results.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[chunalt787]

Its not showing anything. Am I supposed to be setting my debug level to something then using a different command to view it? I haven't used the CLI before and from the help command it appears that -debug crypto isakmp is just to set the debug levels.

Sorry for the dumb questions. I really appreciate you trying to help.

 

[unclerico]

you should be able to set it at a level of 7. Once it is set you need to initiate client traffic from a host behind one side to the other side (i.e. ping PC1 from PC2 or vice versa)

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[chunalt787]

I did that and tried to ping from the computer all over the place and it didn't show anything in my hyper terminal window or even the ADSM logging. Its like there isn't even traffic thats attempting to flow.

 

[unclerico]

try adding a default route to ASA2. It looks like ASA1 has had some Phase1 traffic generating and I'm going to assume that it has a default route.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[stubnski]

I am not sure of the 5505's ASDM but ASA's have a pretty good real time syslog that you can quickly see where the VPN issues lie (Phase 1, Phase 2).

Since you're not familiar with CLI try using the ASA monitoring tools to see where the issue is. Monitoring -->Logging --> View (change the Logging level to Debugging). Run a ping and see what stops it - ACL, typo on PSK...


Stubnski